summaryrefslogtreecommitdiff
path: root/src/op_mode/ikev2_profile_generator.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-05-30 11:20:56 +0200
committerChristian Breunig <christian@breunig.cc>2024-05-30 11:20:56 +0200
commite6fe6e50a5c817e18c453e7bc42bb2e1c4b17671 (patch)
treee46c2b6cb8a3218d3b8145f1c370a09dffc4392a /src/op_mode/ikev2_profile_generator.py
parentb7595ee9d328778105c70e3d4399ac45f555b304 (diff)
downloadvyos-1x-e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671.tar.gz
vyos-1x-e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671.zip
op-mode: ipsec: T6407: fix profile generation
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile.
Diffstat (limited to 'src/op_mode/ikev2_profile_generator.py')
-rwxr-xr-xsrc/op_mode/ikev2_profile_generator.py19
1 files changed, 13 insertions, 6 deletions
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 2b29f94bf..4ac4fb14a 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -144,15 +144,22 @@ tmp = reversed(tmp)
data['rfqdn'] = '.'.join(tmp)
pki = conf.get_config_dict(pki_base, get_first_key=True)
-ca_name = data['authentication']['x509']['ca_certificate']
cert_name = data['authentication']['x509']['certificate']
-ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
-cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+data['certs'] = []
+
+for ca_name in data['authentication']['x509']['ca_certificate']:
+ tmp = {}
+ ca_cert = load_certificate(pki['ca'][ca_name]['certificate'])
+ cert = load_certificate(pki['certificate'][cert_name]['certificate'])
+
+
+ tmp['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+ tmp['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+ tmp['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
+
+ data['certs'].append(tmp)
-data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
key_mangling=('-', '_'), get_first_key=True)